A preview of PCI virtualization specifications

But like every business at the moment, your managers need you to reduce costs even further. They're pushing for you to consolidate and run the mission-critical applications, including the Internet-facing e-commerce ones, on virtualized servers, too. But can you remain compliant with the Payment Card Industry Data Security Standard (PCI DSS) while fully leveraging the business benefits of virtualization?

What PCI has to say about virtualization
This is a problem many IT managers face, and there's a distinct lack of guidance on virtualization from the PCI Security Standards Council. Version 1.2 of the standard, released in October, did clarify a number of issues, but it didn't address virtualized environments.

To benefit from virtualization, virtual servers will typically have multiple functions running on a single physical server. Section 2.2.1 of the PCI DSS, however, states that a server should perform only one primary function. So, according to the standard, Web servers and database servers should each be implemented on a separate machine. For a company that needs to be PCI compliant, those restrictions make the task of virtualizing an infrastructure a difficult one.

The PCI Data Security Standard does not yet address virtualized servers or related audit requirements, meaning that qualified security assessors (QSAs) must use their own judgment to determine whether organizations that implement virtualized servers meet the PCI mandates. This less-than-ideal situation is compounded when you consider that IT and security professionals themselves are still unsure of how virtualization changes the risk profi...

PCI virtualization specifications on the way
Thankfully, this is a short-term situation, as a PCI Security Standards Council special interest group (SIG) for virtualization is currently taking shape. Its aim will be to address the challenges and issues associated with virtualization and PCI compliance, providing much-needed explanation in the same way the clarification document regarding Web application firewalls and code reviews had done in early 2008.

The virtualization SIG will solicit feedback from not only participating organizations, such as VMware Inc., Microsoft and other industry stakeholders, but also the security assessors that currently perform assessments. They will no doubt focus on the security of host servers. Any VM containing credit card-related data means its host server is also in-scope. Other issues to be addressed include access control, monitoring and the security of remote console sessions to the VMs. Adequate security for clones and copies of virtualized servers, such as those used for disaster recovery and business continuity, should be covered as well.

The decision that will have the biggest effect on merchants will be whether virtualization provides adequate zoning and separation of functions. That choice will specify if virtual servers are acceptable as long as they are only performing a single function. For example, will a merchant be able to run in-scope and out-of-scope virtual servers on the same hardware? In such a situation, there would certainly need to be a firewall in place to separate the virtual servers into zones.

One approach may be for a single hypervisor to only allow the compliant systems handling data covered by PCI, which would avoid the non-compliant state of having multiple classifications of data residing on the one storage medium. A current best practice is to not use virtual machines that run across multiple secure zones on the same host. In the upcoming clarification document, it will also be important to monitor not just the VM workloads, but also the hypervisors, using products such as those from Tripwire Inc. Comprehensive monitoring offers reporting ability, which will certainly help towards demonstrating compliance.

It will be some time before the virtualization SIG is able to quantify the risks posed by a virtualized environment and establish auditing standards to assess host servers and guest virtual machines. QSAs are used for auditing and assessing risk in highly segmented and layered architectures where duties and responsibilities are largely separated and well-defined. The opposite is true in virtualized architectures, which means another auditing approach is necessary.

My view is that the most conservative approach would be to delay implementing virtualization and wait for the findings and recommendations of the SIG in order to ensure your chosen product doesn't fail any upcoming revisions to requirements. When the PCI requirements for security in virtual environments are announced, it will have some fairly broad implications for the whole cloud computing community.

For those who are more bullish on virtualization, when researching some of the virtualization security products coming onto the market today, I would recommend paying particular attention to their management control features. For example, to what degree can an organization limit the scope of permissions to specific objects or parts of the infrastructure and grant the correct access rights to the right people, without violating the principle of "least privilege?" Separation of duties between hosts and VMs will be critical to achieve compliance.

To that end, administrators looking to get a head-start should be aware that VMware, one of the major virtualization vendors, has launched the VMware Compliance Center website: an initiative to help merchants understand how to achieve, maintain and demonstrate compliance of various industry standards in virtual environments. I also recommend reading the case studies of companies that have successfully passed compliance audits in their VMware environments. Good documentation to prove there are sufficient controls in the virtualized environment seems to be a common component of setups that have passed an audit. It's also important to choose an assessor who understands security controls in a virtual environment and has experience in how they should be deployed.

The bottom line is that virtualization is a complex and evolving technology, and those looking to implement virtualized systems in the near-term -- regardless of the business drivers, such as cost reduction, availability and resiliency -- should be aware that PCI compliance guidelines will likely be in a state of flux for some time. That means implementations may be forced to evolve as well.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   Application and Platform Security,   Virtualization Security Issues and Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.